When we build and run source code of “SampleNetworkMonitor" with developer provisioning profile it works fine.
But when we try to build and run with the distribution provisioning profile, we get the following error. The results will not change even if we notarize the application.
Both provisioning profiles created with the same bundle identifier that have capabilities enabled: System Extension, Network Extension, and App Group
How can we solve this crash?
Error:
Exception Type: EXCCRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXCCORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
Environment:
Xcode: 11.5
MacOS: 10.15.5
Entitlement:
Code Sign result:
But when we try to build and run with the distribution provisioning profile, we get the following error. The results will not change even if we notarize the application.
Both provisioning profiles created with the same bundle identifier that have capabilities enabled: System Extension, Network Extension, and App Group
How can we solve this crash?
Error:
Exception Type: EXCCRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXCCORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
Environment:
Xcode: 11.5
MacOS: 10.15.5
Entitlement:
Code Block <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>XXXXX.group.XXXXX.netextension</string> </array> </dict> </plist>
Code Sign result:
Code Block ~ % codesign -v -vvv /Users/ravi-kb/Desktop/notarize/Sample\ Network\ Listener.app /Users/***/Desktop/notarize/Sample Network Listener.app: valid on disk /Users/***/Desktop/notarize/Sample Network Listener.app: satisfies its Designated Requirement ~ % codesign -d -vvv --entitlements :- /Users/***/Desktop/notarize/Sample\ Network\ Listener.app Executable=/Users/***/Desktop/notarize/Sample Network Listener.app/Contents/MacOS/Sample Network Listener Identifier=com.***.networkextensionapp Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1483 flags=0x10000(runtime) hashes=37+5 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=56eaec49fcba92ca74fbfadf292494b0770fed67 CandidateCDHashFull sha256=56eaec49fcba92ca74fbfadf292494b0770fed67d3c6264a9e42239a2077c6dd Hash choices=sha256 CMSDigest=56eaec49fcba92ca74fbfadf292494b0770fed67d3c6264a9e42239a2077c6dd CMSDigestType=2 CDHash=56eaec49fcba92ca74fbfadf292494b0770fed67 Signature size=8976 Authority=Developer ID Application: The *** Company (***) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=20-Jul-2020 at 4:59:23 PM Info.plist entries=23 TeamIdentifier=*** Runtime Version=10.15.6 Sealed Resources version=2 rules=13 files=9 Internal requirements count=1 size=224 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>{Team ID}.{Bundle ID}</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>{Team ID}</string> <key>com.apple.security.application-groups</key> <array> <string>{Team ID}.{Bundle ID}</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> </plist>
Since you have signed and built with a Developer ID Certificate:
And I am assuming with a Developer ID provisioning profile you will need to change the content-filter-provider entitlement string to be content-filter-provider-systemextension. Check out the entitlement contained in the provisioning profile by using the following:
The core issue here usually is the entitlements from the provisioning profile and the entitlemens the app/extension was built and signed with do not match and that is what is causing this crash.
Try inspecting your profile, altering the entitlements, rebuilding, and notarizing to see if you get the same issue.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Code Block Authority=Developer ID Application: The * Company (*) Authority=Developer ID Certification Authority Authority=Apple Root CA
And I am assuming with a Developer ID provisioning profile you will need to change the content-filter-provider entitlement string to be content-filter-provider-systemextension. Check out the entitlement contained in the provisioning profile by using the following:
Code Block % security cms -D -i app_profile.provisionprofile
The core issue here usually is the entitlements from the provisioning profile and the entitlemens the app/extension was built and signed with do not match and that is what is causing this crash.
Try inspecting your profile, altering the entitlements, rebuilding, and notarizing to see if you get the same issue.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com